CVE-2025-68604
Cross-Site Request Forgery in WPGraphQL
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpgraphql | wpgraphql | to 2.5.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the WPGraphQL WordPress plugin, affecting versions 2.5.3 and earlier.
It allows an attacker to trick authenticated users into performing unwanted actions by making them click a malicious link or submit a form, exploiting their current authentication without their consent.
The vulnerability has a low severity impact with a CVSS score of 5.4 and was fixed in version 2.5.4 of the plugin.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow attackers to force users with higher privileges to execute unwanted actions on the WordPress site while they are authenticated.
This could lead to unauthorized changes or operations being performed without the user's knowledge.
However, the risk is considered low because exploitation requires user interaction, such as clicking a malicious link.
Immediate updating to version 2.5.4 or later is recommended to mitigate this risk.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the WPGraphQL plugin to version 2.5.4 or later.
Additionally, Patchstack users can enable auto-updates for vulnerable plugins to ensure timely patching.